How to Identify Secure Software Vendors

You can invest all the time and money in the world ensuring that your internal systems are safe and secure, but with more and more third party vendors being used each year, it's all for nothing if they're not secure too.

You can invest all the time and money in the world ensuring that your internal systems are safe and secure, but with more and more third party vendors being used each year, it's all for nothing if they're not secure too.

It raises an important question though: how do we identify secure software vendors?

In today's post I highlight some of the things you should look out for when attempting to identify secure software vendors.

Ask About Application Engineering

Ask the vendor about the security of their software development processes. Some good questions to ask are:

Are your developers trained in secure software development? How?

Is security built into the software development process? How?

Have you threat modeled your applications?

How do you do secure code reviews?

Do you use tools to minimise risk? Which ones?

Do you perform regular penetration tests? Who is responsible for them?

Whilst the vendor may be reluctant to share more detailed information due to security concerns, a good enterprise vendor should be able to provide suitable answers to these questions. You'll probably need to talk to someone in the engineering department to get a thorough understanding of how seriously the vendor takes application security.

Ask About Product Management

The management and development of products needs to be secure as much as the software development processes themselves. Some good questions to ask include:

Do you have well documented product development processes and practices?

Do you formally manage requirements, design, and ensure security is built into products at the design stage?

Explain your quality management processes

It may be worth trying to talk to a product manager to ask these questions. Don't mention that you're trying to get an insight to security. See how the product manager answers questions, and whether they mention security, or focus exclusively on design and functionality.

Perform Basic Tests & Checks

It may be worth hiring a security consultant to make their assessment of a vendor's website & web applications (if applicable), or if the budget for that is out of the question, to do some basic testing yourself. Take a look through the company's website and see how prevalent security concerns are:

Do they discuss security, or does it look like an afterthought?

Do they use SSL for pages that contain forms that ask for sensitive details (e.g. credit card, bank information, sensitive company information)?

Are they assessed for security by any third parties? Who? What do they test for?

With much of a company's data now in the cloud, it's more important than ever that companies work with secure vendors. Take the selection process seriously, and don't let an insecure vendor result in your company's confidential documents being leaked, or worse.